Summary: Memory corruption in load_ruleset_game() on 64bit
                 Project: Freeciv
            Submitted by: cazfi
            Submitted on: Tuesday 08/10/2010 at 12:03
                Category: general
                Severity: 3 - Normal
                Priority: 1 - Later
                  Status: Ready For Test
             Assigned to: None
        Originator Email: 
             Open/Closed: Open
                 Release: TRUNK
         Discussion Lock: Any
        Operating System: None
         Planned Release: 2.3.0



load_ruleset_game() casts int pointer to size_t pointer in call to
secfile_lookup_str_vec() which then puts size_t variable through that
pointer. This is not nice when int, we reserve space for, is 32 bit, and
size_t, we insert, is 64 bit.

Fix attached

As always with memory corruption bugs, consequences of this bug depend on
compiler optimization - what compiler decides to put next to teams variable.
In compilation with optimization completely disabled this was causing
variable 'file' to be zeroed leading to error message:
"1: in secfile_check_unused() [../../../src.patched/utility/registry.c::969]:
assertion '((void *)0) != secfile_sections(secfile)' failed."


File Attachments:

Date: Tuesday 08/10/2010 at 12:03  Name: 64bitSizetFix.diff  Size: 795B   By:



Reply to this item at:


  Message sent via/by Gna!

Freeciv-dev mailing list

Reply via email to